how to design a zero- trust architecture using workspace one · the information in this...
TRANSCRIPT
©2019 VMware, Inc.Confidential │ ©2019 VMware, Inc.
How to Design a Zero-Trust Architecture Using Workspace ONE
Arthur TanSales Engineer, End-User Computing, Southeast Asia & Korea, VMware
©2019 VMware, Inc.
Disclaimer
This presentation may contain product features or functionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
This information is confidential.
2
The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein.
©2019 VMware, Inc.
Agenda
3
Overview of Zero Trust and BeyondCorp
My and VMware’s take on it
What’s coming next
Adobe - a real life example
©2019 VMware, Inc. 4
Why Is This Important
Companies are struggling with employee expectation, ease of access and flexible workstyles.
Existing security architectures cannot cope with the wider adaption of SaaS.
We need to modernize our application/data access and security to cope with these shifts.
©2019 VMware, Inc. 5
VMware Identity Manager is no more
Long live Workspace ONE Access
Same functionality, just a new name
6©2019 VMware, Inc.
Overview of Zero Trust and BeyondCorpThe why, what and howish
©2019 VMware, Inc. 7
It used to be us vs. them…
Why Do We Need a New Approach?
©2019 VMware, Inc. 8
…but the boundaries are getting blurred
Why Do We Need a New Approach?
©2019 VMware, Inc. 9
Let’s treat all as external
When We Cannot Put Our Trust in the Perimeter
©2019 VMware, Inc. 11
No network can be trusted
Externally routable DNS names (FQDN)
No VPN is to be used
Access to applications requires corporate owned devices and a valid authentication method to identify the user
All traffic flow through a Secure Application Proxy
Hybrid mode, some network trust
Network/Micro Segmentation
VPN can be used
“Never-Trust, Always-Verify”
Zero Trust BeyondCorp
Zero Trust vs. BeyondCorpMy viewpoint
©2019 VMware, Inc. 12
…well, I must trust something.
Never Trust, Always Verify...
Device Trust
• Ownership
• Managed
• Compliant
User Trust
• Method of AuthN
• Behavior
• Geographically makes sense?
• Secured in code
• Data classification
• Role based access
• Federation
• TTL Access Tokens
Application Trust
Transport Trust
• Communication method
• Encryption
©2019 VMware, Inc. 13
Problem is diversity in application types
Why Not Change Security Over Night?
©2019 VMware, Inc. 14
…And Devices
15©2019 VMware, Inc.
My and VMware’s take on Zero Trust/BeyondCorpMy opinion and VMware’s stand on it
©2019 VMware, Inc. 16CONFIDENTIAL
©2019 VMware, Inc. 17
Solution Mappings
VMware Horizon
Workspace ONE Access
©2019 VMware, Inc. 18
Users need one place to access it all
We Need a Hub!
VMware Horizon
©2019 VMware, Inc. 19
Different products/features that can aid in the Transition
VMware Workspace ONE Capabilities
Device Management and Compliance
Per App-VPN
Certificate Management
Kerberos AuthN (iOS)
Mobilization of content/data
Workspace ONE Access
Conditional Access
Single Sign-On
Application Catalog
Horizon 7, Horizon Cloud, Horizon 7 on AWS
Instantaneous mobilization of legacy applications
Cloud delivery of legacy apps
Simplify management and security of existing apps
Allows for SSO into Active Directory
Unified Access Gateway
Supports Workspace ONE UEM
Secured Application Proxy
Identity Bridging for SSO support of legacy apps
Device AuthN
Network Virtualization
Micro Segmentation
Distributed Firewalls
VPN
Workspace ONE Intelligence
User & Device risk score
Device status/remediation
Guide/Nudge users into correct behavior
©2019 VMware, Inc. 20
Absolutely free of charge
My Checklist to Implement Zero Trust/BeyondCorp
Define long term goal
Block any new investments not supporting long term goal
Adapt SaaS based applications where possible
Implement stepping stone technology to ease management of and access to legacy applications
Application portfolio rationalization
Invest in re-coding of applications not supporting new architecture
Identify low hanging fruits and move them to new security architecture
Get rid of Active Directory dependency
©2019 VMware, Inc. 21
Only using released VMware Products
Identify and close gaps
Wanted to support all applications
One of many, many ways to modernize your security
My take on it…and somewhat VMware’s
Building Zero Trust/BeyondCorp
©2019 VMware, Inc. 22
User AuthN Layer
Device AuthN Layer
Entry point Layer
Any Network
Untrusted Devices Trusted Devices
Device AuthN Bypass Layer
Application Back-End Layer
Access Termination Layer
User AuthNBypass Layer
Users
©2019 VMware, Inc. 23
User AuthN Layer
Device AuthN Layer
Entry point Layer
Any Network
Untrusted Devices Trusted Devices
Device AuthN Bypass Layer
Application Back-End Layer
Access Termination Layer
User AuthNBypass Layer
Users
©2019 VMware, Inc. 26
Today’s static/Boolean approach
How Do You Validate Trust of End User’s Devices?
©2019 VMware, Inc. 28
Contextualized Risk Analytics Approach
How Do You Validate Trust of End User’s Devices?
©2019 VMware, Inc. 29
Workspace ONE adds unique capabilities to partners
VMware’s Partnerships
©2019 VMware, Inc. 33
To transform experience and security
It Takes a Village
RUGGEDOS
OS Platform Providers Trust Network Mobile Flows and Experiences
©2019 VMware, Inc. 34
Workspace ONE Intelligence
MAR APR MAY JUN AUG OCT NOV DEC
Workspace ONE Trust Network
Acquisition
Integration
Workspace ONE Send for Microsoft
Integration GA
Horizon Cloud on Azure Government
Partnership
Workspace ONE Privacy Module
SIIA CODiE Award
MDM Channel Security Enhancements
9.5
Cisco Security Connector Integration
4 New Trust Network Partners
Broad Security & Mgmt EnhancementsSSL Certificate Rotation for Tunnel
9.6
Gartner Critical Capabilities for High Security
Mobility Mgmt Report
SafetyNet Attestation API for AndroidTunnel for Android Enterprise and Legacy
1810
Token revocation on Enterprise WipeTrusted Software AuthorityRBAC and TLS for AirLift 1.1
1811
Horizon Cloud on Azure & NSX Cloud
Support
Security Innovations We’ve Delivered 2018
©2019 VMware, Inc. 35
JAN FEB MAR APR MAY JUN JUL AUG
Security Innovations We’ve Delivered 2019
Zero Trust whitepaper
+
+
First UEM to integrate natively with BeyondCorp
Common Criteria Certification EAL2+
Workspace ONE Boxer NIAP
(world’s first)
3 Trust Network Partners are GASecure SDK
Launch
PIV D Android Enterprise Support
2019 SC Award Winner
(Best Mobile security)
Intelligence User and Device Risk
Analytics GA
Mapping SID value certificate requests
for ADCS certificates
1902
19089.7
Mutual authentication between WS1 connector and
Adaptiva Server
Acquisition
36©2019 VMware, Inc.
What’s Coming Next
©2019 VMware, Inc. 37
VMware Mobile Flows allows for interaction with only a subset of the application’s data without the need of launching the application
Unprecedented user experience
Interact with only a data record or field
Data Access Without Application Access
Custom Connectors
Out-of-the-Box Connectors
©2019 VMware, Inc.
©2019 VMware, Inc.
Zero-Trust: Why Do We Need It?
©2019 VMware, Inc.
Leverages Existing Investments In…
©2019 VMware, Inc.
Demo – compliant device
©2019 VMware, Inc.
Demo – non-compliant device
©2019 VMware, Inc. 45
Key TakeawaysTo sum it up
No vendor has a 100% complete solution that will solve it all
• Make sure there is a broad partner network
Standards, standards, and standards
• Though there are differences in implementation of standards you will not get locked in
This is a journey
• It will take dedication and motivation to reach your long term goal…
• …and without a well defined long term goal it is impossible to reach it
Keep it simple
• Complexity is a threat to good security
Plan how to get away from on-premises Active Directory dependencies
Adobe did it…So can you!
©2019 VMware, Inc. 46
Unleash Your IT SuperpowersGo from zero to hero with the latest technical resources
on the VMware Digital Workspace Tech Zone
TECHZONE.VMWARE.COM
©2019 VMware, Inc.
Thank You!
Confidential │ ©2019 VMware, Inc.
©2019 VMware, Inc. 48